How To: Protect Against a Zero-Hour Attack

In the last year, a series of viruses and worms that caused damage across the Internet in record time has made very clear how vulnerable our computer systems are. The MS Blaster, Slammer, Sasser, and Korgo.W worms have shown that signature-based antivirus software and traditional firewalls are not enough to protect

In the last year, a series of viruses and worms that caused damage across the Internet in record time has made very clear how vulnerable our computer systems are. The MS Blaster, Slammer, Sasser, and Korgo.W worms have shown that signature-based antivirus software and traditional firewalls are not enough to protect networks. Everyone is worried about a zero-hour attack — an attack based on a previously unknown vulnerability and completely immune to antivirus software. What can you do to protect your network from such an event? Here are a few ideas:

Use file integrity checking.

File integrity checking tells you if the software you think you have installed on your network is actually what it is supposed to be. There are a number of free utilities to do this — Tripwire is the best known among them. Traditionally, file integrity checking is used is to identify recent changes on a PC. That way, when things go desperately wrong you can try to back out of the latest changes. File integrity checking is also useful for discovering spyware and viruses your antivirus software has missed.

Run new or unknown software in a sandbox.

A new generation of antivirus software extends file integrity checking by making unknown software run in a "sandbox." This form of isolation prevents viruses or worms from propagating unless they can trick a known program into doing the work for them. Using this technique, new or unknown programs are not allowed to do the following things:

Talk on the network

Run at your full security access

Write to another EXE or DLL file

Write to another processes' memory

Modify critical registry entries

Execute other programs

Another way to develop a sandbox is by using Microsoft's Active Directory to keep users from installing anything new. Any new software is then carefully checked by the network administrator before it is installed on the rest of the network. In effect, this makes the network administrator's PC the sandbox.

Scan autoruns.

Each PC's autorun programs should be periodically scanned for threats. This is a favorite place for viruses, worms, and spyware to invade. There is a terrific free utility called Autoruns from SysInternals that will show you everything that is run when you boot up your PC.

Use intrusion prevention at the gateway and on each desktop.

Effective intrusion prevention soft-ware monitors network traffic and matches it to known types of attacks. This approach would have stopped the Sasser and Korgo.W worms in their tracks since they exploited known vulnerabilities. Intrusion prevention rules are continually updated by your vendor. You also should be able to add new intrusion prevention rules yourself.

Use heuristic and signature- based antivirus software.

Most networks are already using this software. A recent addition is the ability for users to easily create their own virus signatures and to distribute them throughout their networks. This frees you from absolute dependence on your antivirus company.

Be aware of Microsoft holes.

It is no secret that Microsoft systems and programs are the most vulnerable to attack. Some software vendors have extended Microsoft's security by adding to Windows the concept of program permissions. Just as users have permissions for directories and files, programs can have permissions to access different parts of the operating system, giving you direct control over what they can and cannot do. Using applications with program permissions can help counter Windows-related vulnerabilities.

Will these suggestions eliminate network attacks? No. But they will go a long way toward minimizing the damage they do to networks and the critical data they hold.

Rob McCarthy is president of network security firm Lightspeed Systems.

Question: At a minimum, what malware protection software do you recommend all Windows users install and use on both desktop and laptop computer systems? The IT Guy says: An antivirus software program that supports live scanning is essential, like Symantec's Norton Antivirus or MacAfee Antivirus. In addition, here

Question: Are there any good and free antivirus programs available for schools to use? The IT Guy says: The free antivirus and anti-spyware software programs of which I am aware are free for home users only, not for organizations of any type, including schools. AVG Anti-Virus is one software application in this

Sleazeware" is my term for spyware, adware, malware, trackware, foistware, trojans, and other programs that sleaze into your computer, either as a hidden component or by tricking you into downloading them. Once in your machine, the program phones home for purposes ranging from simply reporting where you browse to

Central Command Inc announced today that Skidmore-Tynan Independent School District in Texas has selected Vexira Antivirus to protect its workstations, laptops and servers after conducting an extensive test and review.

Parallels Workstation — An Alternative Parallel Workstation is a software product that approaches Windows on the Mac in a different manner. It creates what is called a virtual machine on the Mac (see the Wikipedia article at http://en.wikipedia.org/wiki/Virtual_machine for a complete explanation of a

Listen to this podcast "What are all these windows open on my screen?” a campus administrator asked me recently. Unfortunately, windows were appearing on her personal laptop's screen at an alarming rate. She had Adware! Adware sometimes causes advertising banners to appear on your screen in multiple,

How often do you find yourself typing the same information, such as your school name and address, into document after document? Or using the same sequence of menu commands, such as saving a file in a specific folder (File, Save, navigate to the folder, open the folder, save the file)? Would you rather use a short key